March 27, 2017 — “For the second time in two weeks, developers of the popular LastPass password manager are working to fix a serious vulnerability that could allow malicious websites to steal user passwords or infect computers with malware,” Computerworld reports. “Like the LastPass flaws patched last week, the new issue was discovered and reported to LastPass by Tavis Ormandy, a researcher with Google’s Project Zero team.” Leaving out any technical details, Ormandy publicly disclosed the vulnerability on Twitter and said it “affects the latest version of the LastPass browser extension for all major browsers.” He also said he has successfully exploited it on Windows and Linux. “If the extension’s binary component is also installed, the vulnerability allows attackers to execute malicious code on users’ computers when they visit a rogue website,” Computerworld says. “If the component is not present, the flaw can still be used to extract passwords from users’ secure password vaults.” Ormandy has also reported that simply having the extension in the browser is enough for attackers to exploit the vulnerability. In a blog post, LastPass says it is “actively addressed the vulnerability.” It continued to say the “attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties.”

Related Posts: